Monday, September 03, 2018

On August 10th, many American Financial Institutions received a warning from the FBI that the Bureau had found evidence that criminals were plotting an "Unlimited Operation." We've written about these Unlimited Attacks a number of times in the past in this blog, but this is the first time that we know of where the FBI announced the attack before hand. In these attacks, hackers compromise the internal systems of a bank and gain control of systems that allow them to bypass or reset ATM withdrawal limits. Then, the magnetic stripe information for a selected number of cards is shared with trusted cash-out gangs around the world, who make physical ATM cards with the stripe information encoded and stand by for the pre-arranged attack to begin. Once zero-hour arrives, hundreds of cash-out gang members begin draining every ATM machine they can find. Literally emptying the machines, with the balance available for withdrawal being magically reset in real time by the hackers inside the systems of the targeted bank.

The Times of India reported on August 14th "How hackers siphoned over Rs 94 crore off a co-operative bank in Pune", revealing that the 112 year old Cosmos Bank was the target of the attack. During this attack hackers were able to cause the ATM Network to approve "Rupay" transactions by validating the requests against a fake payment gateway controlled by the hackers. In 2.5 hours, from 3 pm to 5:30 pm, 12,000 Visa card transactions withdrew Rs 78 crore (approximately $10.9 Million USD) before Cosmos Bank terminated all ATM Visa Transactions, however Rupay transactions continued until at least 10PM. RuPay is an India-only card system designed to allow national payments in India without reliance on Visa and Mastercard. 2,890 India-based RuPay transactions totaled an additional Rs 2.5 crore ($351,500 USD). In addition to the ATM damages, on August 13th, the same hackers wired Rs 13.94 crore (almost $2M USD) to Hong Kong via a fraudulent SWIFT transfer. (Three separate MT103 transactions were sent to ALM Trading Limited at Hang Seng Bank in Hong Kong, according to Securonix analysis of the event. Securonix believes the behavior of the attackers is consistent with the North Korean based APT group known as "Lazarus Group". MITRE's ATT&CK program (Adversarial Tactics, Techniques & Common Knowledge) provides more information on the Lazarus Group.

As with many previous Unlimited attacks, Cosmos Bank chairman Milind Kale said that no customer accounts were impacted, as these were "dummy" accounts that were established for the attack. If this attack is like historical ones, many of the follow-up arrests will come from using ATM video footage to identify individual cash-out gangs and try to follow their communications back to the criminals who recruited them for the scheme.